Bug 307818

Summary: Fishing protection: KMail displays title in link not href
Product: kmail2 Reporter: Thomas Tanghus <thomas>
Component: UIAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: meyerm, montel
Priority: NOR    
Version: 4.9.1   
Target Milestone: ---   
Platform: Ubuntu Packages   
OS: Linux   
Latest Commit: Version Fixed In: 4.10.2
Attachments: Example fishing attempt mail.

Description Thomas Tanghus 2012-10-04 09:21:51 UTC
Scammers often use title in links so to disguise the href, and KMail doesn't do anything to protect from this. When hovering over a link in an HTML mail the title is shown both in the hover tip and in the status line.

Reproducible: Always

Steps to Reproduce:
1. Open a scam mail such as the attached one.
2. Hover over the links to here linkedin.com
3. Both hover tip and status line shows the title, not the link.
Actual Results:  
As described in reproduction steps.

Expected Results:  
The link should be shown both in hover tip and status line.

I'm using KMail from within Kontact but that shouldn't matter.
On purpose I haven't filed this as a feature request, because I think it's a basic security precaution that should be fixed.
Comment 1 Thomas Tanghus 2012-10-04 09:22:51 UTC
Created attachment 74328 [details]
Example fishing attempt mail.
Comment 2 Laurent Montel 2012-10-04 10:54:39 UTC
And what do you want that we do ?
Comment 3 Thomas Tanghus 2012-10-04 11:18:57 UTC
Oh, I'm sorry if I didn't write that: Show the actual link in the href on hover instead of the title.

Example anchor link (dunno if bugzilla allows markup?)

<a href="http://http://rakibkhan.com/boWzhT98/index.html/" title="http://www.linkedin.com">Adjust your message settings.</a>

On hover show the possibly malicious link http://http://rakibkhan.com/boWzhT98/index.html instead of http://www.linkedin.com
Comment 4 Thomas Tanghus 2013-03-19 12:54:09 UTC
I'm sorry to bother again, but I really think this is a grave security issue. MUAs should help protect users against fishing attempts, and currently KMail does the opposite.
In Denmark we have a lot of mails spoofing e.g. the tax authorities addresses, and the general advice is to hover over the links in the mail to see where they point. I KMail this doesn't work, so you have to view the source of the mail.
Comment 5 Laurent Montel 2013-03-19 15:16:53 UTC
Sorry I didn't have time to do it.
Will do it today or tomorrow.
Will implement scam search feature for 4.11

Regards.
Comment 6 Thomas Tanghus 2013-03-19 15:36:49 UTC
Great! I didn't mean to bug you, it just looked like it wasn't a priority.
Comment 7 Laurent Montel 2013-03-19 15:54:35 UTC
Git commit d598e27a603cce276068898cf8d244f51b1003ce by Montel Laurent.
Committed on 19/03/2013 at 16:51.
Pushed by mlaurent into branch 'KDE/4.10'.

Fix Bug 307818 - Fishing protection: KMail displays title in link not href

FIXED-IN: 4.10.2
always shows url and not title

M  +0    -4    messageviewer/viewer_p.cpp

http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce
Comment 8 Laurent Montel 2013-03-20 07:08:30 UTC
Git commit a40573f3758643708da5051df438daf4704da678 by Montel Laurent.
Committed on 20/03/2013 at 08:07.
Pushed by mlaurent into branch 'master'.

Implement scam detection. Now we have a warning when we detect that

a message can be a scam.
(for the moment we detect if an anchor has a title and it shows an url
which is not the url define in href)

We will improve it.

M  +9    -0    messageviewer/mailwebview.h
M  +15   -2    messageviewer/mailwebview_webkit.cpp
M  +17   -12   messageviewer/scamdetection/scamdetection.cpp
M  +3    -5    messageviewer/scamdetection/scamdetection.h
M  +5    -0    messageviewer/scamdetection/scamdetectionwarningwidget.cpp
M  +3    -0    messageviewer/scamdetection/scamdetectionwarningwidget.h
M  +1    -0    messageviewer/viewer_p.cpp
M  +4    -1    messageviewer/webkitparthtmlwriter.cpp

http://commits.kde.org/kdepim/a40573f3758643708da5051df438daf4704da678
Comment 9 Laurent Montel 2013-03-20 07:09:23 UTC
Thomas in 4.11 I created a scam detector.
It's the beginning but I will add more check.

Regards
Comment 10 Thomas Tanghus 2013-03-20 09:53:49 UTC
(In reply to comment #9)
> Thomas in 4.11 I created a scam detector.
> It's the beginning but I will add more check.

This is awesome. More than I had asked for :)
Comment 11 Laurent Montel 2013-03-20 10:52:47 UTC
Now we have a widget to inform that message is perhaps a scam message.
I will investigate more rules to check them.
Regards
Comment 12 meyerm 2013-08-27 08:37:30 UTC
Hey, that's really cool! Thank you!

But please check out bug #324103 as this could lead to misunderstandings by people not being aware of technical details.